Prohibit use of low level digest APIs in FIPS mode.

[openssl.git] / crypto / crypto.h

diff --git a/crypto/crypto.h b/crypto/crypto.h
index 0a34ef2ac210a42d49f06266120b48ae8d89cab7..da3e27bc2f815089146aa9bb6bf05d871def8a8e 100644 (file)
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -552,6 +552,22 @@ int FIPS_mode_set(int r);
 
 void OPENSSL_init(void);
 
+#define fips_md_init(alg) fips_md_init_ctx(alg, alg)
+
+#ifdef OPENSSL_FIPS
+#define fips_md_init_ctx(alg, cx) \
+       int alg##_Init(cx##_CTX *c) \
+       { \
+       if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
+               "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
+       return private_##alg##_Init(c); \
+       } \
+       int private_##alg##_Init(cx##_CTX *c)
+#else
+#define fips_md_init_ctx(alg, cx) \
+       int alg##_Init(cx##_CTX *c)
+#endif
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.